on 05-26-2010 1:44 PM
BO XI R3
We are experiencing this really strange phenomenon.
We have AD authentication enabled which worked fine until some persons start complaining they got the error "Account Information Not Recognized: Access is denied" when trying to logon to the CMC.
It sounded as a normal lack of rights. However after some investigation i don't have any clue.
1) i checked the user and its memberships. Then i checked access to the CMC -> OK
details inheritance:
- BO group 1
- BO group 2
- BO group 3
-AD group 4
-user1
rights to logon to CMC are given on BO group 3 level
2) password of the user was correct (because otherwise you'll get another error: Account Information Not Recognized: Active Directory Authentication failed to log you on. Please contact your system administrator to make sure you are ...)
3) another user (member of another AD group) could logon with AD authentication to the CMC, so no existing problems with AD authentication
4) i added an enterprise alias to the AD user1 account in BO to exclude rights problem ->SUCCESS, user could logon to CMC with enterprise auth. ==> definitely no rights problem
5) i asked other members of AD group4 to try to logon to CMC with AD credentials -> they all experience the same problems (Access denied)
6) then i thought there might be something wrong with the ADgroup linking. I removed the Ad group, updated Windows Ad auth and re-added, updated again. I then re-linked this AD group to the BO group 3. => problem persists.
7) an ultimate test (however i was pretty sure no rights issue was involved, see 4)), i added the user to the administrators group -> could login in CMC with Ad auth????
😎 as this environment was a migration of our R2 environment, we had another R3 environment which had exactly the same R2 source => no problems with AD authentication over there?!!
Anyone a clue?
Hi Tom,
My first thought is that there must be an explicit deny in one of the groups that this user is a member of. An explicit deny overtakes any not specified, or explicit grants.
The CMC has a new Query Results section that has Security Queries that you can carry out. You could try using that to determine the rights.
Also, if you go to CMC/Applications/CMC/User Security, you should be able to add the user specifically and then do a view security to see what the combined rights are for that user.
It's got to be a right of some sort that is propogating down. The strange thing is that you state that adding the user to the Administrators group resolves this issue. This means that the right must be not specified at some level because if it was denied, even adding them to the administrators group wouldn't matter.
Thanks
Jonathan
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Txs all for the replies. After doing extensive checks and re-checks, i finally was able to find the problem.
It appeared to be linked to security rights after all:
USER top-level ->
Edit the object (that the user owns)
was missing.
Apparently this right is only needed when you login with AD-auth (why?) and not with enterprise-account.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi Tom,
I would suggest you recheck your WIndows AD configuration step by step. Check the service principal name first. Check if its been created properly and delegated service rights on the BOBJ server machine. Check its bindings. The documentation contains detailed steps for the configuration AD authentication. Recheck and reapply each one of those. I had encountered a similar problem once while migration and Rechecking and reapplying everything solved it for me. And do maintain a log of all your activities including that of the webserver.
Edited by: Abdul Khalid on May 29, 2010 2:51 AM
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Txs Jonathan and Tim for the feedback, but
- restart CMS did not solve the problem
- i seriously doubt that missing rights might be the problem (however the administrator thing remains very strange) as i listed in 4) i used the same user: once with AD auth -> Not OK and once with enterprise auth (alias) -> OK
Is there a way on activating/opening more detailed logging on this error?
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You can enable a trace on the CMS. This will give you detailed information about the Windows AD authentication portion. To do this, you can add a -trace to the command line of the CMS, or to enable a live trace, follow this note:
1335757 - Enabling and disabling tracing in XI 3.1 for specific services without requiring a restart
https://service.sap.com/notes/
Thanks
Jonathan
Also you may want to try restarting the CMS, if it worked before possibly the AD graph has somehow cached bad info. Restarting the CMS will build a new graph.
Regards,
Tim
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
75 | |
9 | |
8 | |
7 | |
7 | |
6 | |
6 | |
6 | |
5 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.